Is ChatGPT HIPAA Compliant?
Generic ChatGPT services are not HIPAA compliant and cannot be used in a HIPAA-compliant manner because they do not offer the safeguards and Business Associate Agreements required under the HIPAA Security and Privacy Rules to protect PHI. However, OpenAI now offers ChatGPT for Healthcare that can support HIPAA compliance under specific conditions.
Artificial intelligence tools have rapidly entered clinical, administrative, and patient‑facing workflows. Among them, ChatGPT has become one of the most widely recognized. But as healthcare organizations explore how to use AI responsibly in compliance with HIPAA and state laws governing the use of AI in healthcare, a central question emerges: Is ChatGPT HIPAA compliant?
In most cases the answer is no. Most ChatGPT-based services cannot be configured to prevent unauthorized access, use, or disclosure of PHI, nor support HIPAA-standard access controls, activity logs, or audit trails. Furthermore, consumer ChatGPT services may use user inputs to improve the accuracy of outputs unless the user opts out or subscribes to a paid service level with different data‑use terms.
Is it Possible to Make ChatGPT HIPAA Compliant?
Unless an organization subscribes to the ChatGPT for Healthcare product, it is not possible to make “off-the-shelf” ChatGPT HIPAA compliant. This is because OpenAI – the vendor of ChatGPT – will not enter into a Business Associate Agreement for the Free, Plus, Team, or Enterprise versions of its product. This means it is not permitted to use PHI when inputting prompts on these platforms.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
However, ChatGPT-based services can be used with de-identified PHI, provided PHI has been de-identified using a method permitted by the HIPAA Privacy Rule. Deidentified PHI is no longer PHI and is not subject to the HIPAA Rules requiring a Business Associate Agreement. When using ChatGPT in this way, workforce members should receive HIPAA training to ensure they do not disclose PHI impermissibly.
Healthcare developers can apply for a Business Associate Agreement to embed the ChatGPT API into clinical, administrative, and operational applications, and this would allow users to input PHI into AI-assisted applications approved by the organization. Approval of an Agreement in these cases is subject to the application environment being HIPAA compliant. It does not make ChatGPT HIPAA compliant.
Is ChatGPT Health HIPAA Compliant?
ChatGPT Health is a consumer‑facing health and wellness service built into “standard” ChatGPT products. Launched in 2026, ChatGPT Health is designed to help individuals query symptoms, understand lab results, prepare for medical appointments, and get lifestyle guidance using information input by users, acquired from user-connected apps, and created in collaboration with physicians.
Although ChatGPT Health has enhanced privacy protections and does not use consumer inputs to train its algorithm, the product is still governed by consumer-grade terms rather than by HIPAA standards. Consequently, although ChatGPT Health may be useful for patient education and general health advice, organizations cannot use it to process PHI, document care, or support clinical decision‑making.
Regarding whether it is possible to make ChatGPT Health HIPAA compliant, the answer is no. There are no circumstances in which OpenAI will enter into a Business Associate Agreement with a ChatGPT Health user as the purpose of the product is to support personal health literacy rather than regulated healthcare operations.
For this reason, it is important for workforce members to understand the difference between ChatGPT Health and Chat GPT for Healthcare when the latter product is deployed by a healthcare organization.
What is ChatGPT for Healthcare?
ChatGPT for Healthcare was launched in January 2026 as an enterprise‑grade AI product designed specifically for hospitals, clinicians, and regulated healthcare environments. The LLM algorithm that powers the product is optimized for clinical accuracy, guideline‑aligned responses, and transparent citations drawn from peer‑reviewed research and public health recommendations.
ChatGPT for healthcare differs significantly from consumer ChatGPT-based products as it operates within a protected environment and has the necessary safeguards and administrative controls to support HIPAA compliance. PHI entered into the product via user prompts is not used to train the algorithm, and OpenAI will enter into a Business Associate Agreement with qualifying healthcare organizations.
However, ChatGPT for Healthcare is not HIPAA compliant out of the box. The product enables HIPAA-compliant use under proper organizational configuration and governance; but, like any information system, it must be deployed and managed in accordance with HIPAA policies and risk management practices. You can read more about the measures necessary to make the use of ChatGPT for Healthcare HIPAA compliant in this article.
